From fb5eefeea5561f8862a81e363f924175076bd629 Mon Sep 17 00:00:00 2001 From: Luke Taylor Date: Thu, 15 May 2008 17:00:45 +0000 Subject: [PATCH] SEC-740: Finished preauth chapter --- src/docbkx/preauth.xml | 35 +++++++++++++++++++++++++++++++---- src/docbkx/samples.xml | 7 ++++--- src/docbkx/springsecurity.xml | 14 ++++++++------ 3 files changed, 43 insertions(+), 13 deletions(-) diff --git a/src/docbkx/preauth.xml b/src/docbkx/preauth.xml index c07b43d3ad..03e3a77f25 100644 --- a/src/docbkx/preauth.xml +++ b/src/docbkx/preauth.xml @@ -73,7 +73,7 @@ authentication provider to read the authorities which were externally allocated to the user. We'll look at a concrete example next. -
+
J2eeBasedPreAuthenticatedWebAuthenticationDetailsSource If the filter is configured with an authenticationDetailsSource which is an instance of this @@ -126,10 +126,37 @@
Concrete Implementations - TODO. + X.509 authentication is covered in its own chapter. Here we'll look at some classes + which provide support for other pre-authenticated scenarios. + +
+ Request-Header Authentication (Siteminder) + + An external authentication system may supply information to the application by setting specific headers on the HTTP request. + A well known example of this is is Siteminder, which passes the username in a header called SM_USER. + This mechanism is supported by the class RequestHeaderPreAuthenticatedProcessingFilter which + simply extracts the username from the header. It defaults to using the name SM_USER as the + header name. See the Javadoc for more details. + + + Note that when using a system like this, the framework performs no authentication checks at all and + it is extremely important that the external system is configured properly and protects all + access to the application. If an attacker is able to forge the headers in their original request without this being + detected then they could potentially choose any userame they wished. + + +
+ +
+ J2EE Container Authentication + + The class J2eePreAuthenticatedProcessingFilter will extract the username from the + userPrincipal property of the HttpServletRequest. use of this + filter would usually be combined with the use of J2EE roles as described above in . + + +
- - diff --git a/src/docbkx/samples.xml b/src/docbkx/samples.xml index e93accbdf0..f9d75a6df3 100644 --- a/src/docbkx/samples.xml +++ b/src/docbkx/samples.xml @@ -137,9 +137,10 @@ Pre-Authentication Sample This sample application demonstrates how to wire up beans from the pre-authentication - framework to make use of login information from a J2EE container. The user - - + framework to make use of login information from a J2EE container. The user name and roles are those setup by the container. + + + The code is in samples/preauth.
diff --git a/src/docbkx/springsecurity.xml b/src/docbkx/springsecurity.xml index dcb7e50e46..fd8e6ad3dd 100644 --- a/src/docbkx/springsecurity.xml +++ b/src/docbkx/springsecurity.xml @@ -161,9 +161,7 @@ - - - + @@ -171,16 +169,20 @@ - + + + + + - - + +